CVE-2022-43397 - Out-Of-Bounds Write in Parasolid – How a Simple X_T File Can Compromise Your CAD Platform

Parasolid is the geometry kernel behind many mainstream computer-aided design (CAD) applications—think SOLIDWORKS, Siemens NX, and others. A vulnerability in Parasolid, identified as CVE-2022-43397, was publicly disclosed in late 2022, affecting multiple versions before they received critical updates. In this post, I break down what this bug means, show you how a simple file can trigger it, and point you to official resources. Let’s get started.

What is CVE-2022-43397?

CVE-2022-43397 is a security vulnerability caused by an *out-of-bounds write* in Parasolid’s code when parsing certain types of X_T files. If a specially crafted file is opened, malicious code might overwrite parts of program memory—giving an attacker a pathway to run arbitrary code under your session.

Parasolid V35.: All versions < V35..170

The bug was reported by the Zero Day Initiative.

Getting Technical: What’s an “Out-of-Bounds Write”?

An *out-of-bounds write* happens when a program writes more data to a spot in memory than it’s supposed to—usually past the end of an allocated buffer. In this case, Parasolid allocates a block of memory while loading an X_T file, but due to improper checks, a clever attacker could craft file data that causes Parasolid to overwrite memory it shouldn’t touch.

Result: The attacker can possibly inject code and force Parasolid (and any application using it) to execute it. All the attacker needs to do is convince someone to open the malicious file!

Exploit Details (With Example Code)

Based on public advisories and known vulnerabilities in geometry kernels, here’s a typical flow of abuse. Since the Parasolid source code isn’t open, let’s use pseudo code to illustrate.

Say you have a buffer in the code for parsing array data from the file

// Pseudo code: dangerous buffer copy
int count = read_int_from_file();
double *points = malloc(count * sizeof(double));

for (int i = ; i < count; i++) {
    points[i] = read_double_from_file();
}

If the attacker makes count huge (or negative and wraps around), the buffer might get smaller (or barely allocated) but the code will still write as if it’s legitimate data, thus overstepping bounds.

While X_T format specifics are closed, prior research shows attacker can fudge a record's length

HEADER
Solid data...
START-SEGMENT
Number of entities: 4294967295  // Super high count!
Entity data...
END-SEGMENT

When Parasolid reads 4294967295 (i.e., xFFFFFFFF), it might allocate bytes or a small chunk, but then process as if there’s a massive array.

3. Crashing or Taking Control

If the overwritten data contains function pointers or important control data, malicious code could be executed upon the next function call or process jump.

Proof-of-Concept (PoC) Crash

Here's a simple PoC in Python that creates an oversized count in a fake X_T file—intended only for educational and testing purposes in a safe, patched environment:

# PoC: Generates a crafted X_T file
with open("crash.xt", "w") as f:
    f.write("HEADER\n")
    f.write("DATA\n")
    f.write("START-SEGMENT\n")
    f.write("Number of entities: 4294967295\n")  # Intentionally too large
    for _ in range(10):
        f.write("Entity data: .\n")
    f.write("END-SEGMENT\n")

Open this file with *unpatched* Parasolid-based software (don’t do this on a real environment!) and it should crash, demonstrating the out-of-bounds write possibility.

Wait for a designer or engineer to open it in any Parasolid-based system

- Gain the same privileges as the user—leaking intellectual property, damaging parts, or deploying ransomware

This vulnerability is especially dangerous because file types like X_T aren’t usually scanned as thoroughly as executables.

Patching the Vulnerability

Siemens addressed CVE-2022-43397 in their official advisory:

| Version | Fixed Version |
|----------------|----------------|
| Parasolid V34.| V34..252 |
| Parasolid V34.1| V34.1.242 |
| Parasolid V35.| V35..170 |

> Update immediately. If your software vendor hasn’t backported the patch, *ask them when they will!*

Open untrusted files in virtual machines or sandboxes.

- Educate your team about not opening files from unknown sources, even if they are just “geometry files.”

References & More Info

- Zero Day Initiative Advisory: ZDI-CAN-17854 (CVE-2022-43397)
- Siemens CERT: SSA-827591
- MITRE Entry for CVE-2022-43397

Conclusion

CVE-2022-43397 is a classic example of how seemingly harmless data files can turn into attack vectors. If you use Parasolid—directly or through another application—keep it patched. This vulnerability shows that even the file formats you trust every day can be a serious security risk.

Stay safe, keep your tools updated, and remember—it’s not just .exe or .dll that can bite you; *CAD files* can be weapons too.


*This article is for educational purposes only. Always use exploits and test files only in lab setups you control. Respect software licensing and responsible disclosure practices.*

Timeline

Published on: 11/08/2022 11:15:00 UTC
Last modified on: 11/08/2022 16:27:00 UTC